Thursday, March 22, 2007

I begins: "When I was quite young and quite small for my size, I met an old man in the Desert of Drize." This man tells the narrator (a small boy) and the reader to "[s]uppose, just suppose, you were poor Herbie Hart, who has taken his Throm-dim-bu-lator apart!" and other strange ways you could be worse off, in the hope that it cheers you up.

Briefly- Someone at the Alaska Department of Revenue formatted a disk with information on it on how $38 Billion (US Dollars) should be divided. The format was perfect - the information could not be retrieved. The backup tapes failed. The only other backup was paperwork in 300 cardboard boxes. To make matters worse there was a deadline on the payment.

None of the actual money was lost but the department had to hire 12 new full time staff and pay 70 staff overtime to recapture all the information again.

So, in the words of Dr Seuss, and the old man in the Desert of Drize:

Some people are much moreOh, ever so much moreOh, muchly much-much moreUnlucky than you!"

Thursday, March 15, 2007

Computers are there to basically make the information look good. Networks are there to move it all about to where (in theory) it is most useful.

Computers are not just all about presentation, they also mold data into useful information and other neat things. But its the Information that is king. That is why the general term for people that work with computers is "Information Technology".

So, why is everything we do there to protect computers? And networks.

If a computer is compromised - kill it. Stick another in its place. Instantly.

The technology is available to do this. But I haven't seen people use it.

Is it being used?

The way to do this is to keep the data on a separate drive to the applications (like Unix has always advised - welcome to the 70s, again) and if there is any doubt - kill the machine. And pop a fresh install in its place.

Wednesday, March 14, 2007

It is a widely held belief in the Open Source circles that the reason that Windows is so popular is that it is installed by default on new PCs and that if the same were true with Linux it would gain market share.

Maybe and maybe not. But we haven't been able to see this because Linux has never been installed by default on desktops coming from companies like Dell. Conspiracy theories say that Microsoft's secret agreements with vendors contain a no-Linux clause.

If this is true then Dell now has an issue - (from the article)

"Created in response to growing concern that Dell was not paying enough attention to its customers, IdeaStorm allows Dell users to tell the company what changes they would like the PC maker to implement. The suggestions that get the most votes from other users are pushed to the top of the page.

The two most popular ideas on the site implore Dell to consider offering Linux and the OpenOffice suite as an alternative to Microsoft Windows and Office. Between them they have received almost 200,000 votes."

Dell now has to install Linux or accept the fact that they can't deliver what their customers want.Anyhow, it looks like Dell are about to deliver Linux and time will tell what this means for Microsoft who are battling with a new product that doesn't seem to offer much more than a fancy new screen and fighting the growing Apple fanbase. (It is once again cool to like Apple. Welcome back Mr Jobs.)

Of course, since this is a Security blog, I have to mention that so far it seems Vista is more secure than XP. But Microsoft's excuse for why there aren't viruses and such for Linux has always been - no-one really uses Linux as a desktop. Well.. no-one really uses Vista yet either. And having the main selling point as "Well, its more secure than any earlier version of Windows" is not saying very much. Most Operating Systems are.

Still, Microsoft are trying and good luck to them. They are about where Unix was in the 70s.

It is a widely held belief in the Open Source circles that the reason that Windows is so popular is that it is installed by default on new PCs and that if the same were true with Linux it would gain market share.

Maybe and maybe not. But we haven't been able to see this because Linux has never been installed by default on desktops coming from companies like Dell. Conspiracy theories say that Microsoft's secret agreements with vendors contain a no-Linux clause.

If this is true then Dell now has an issue - (from the article)

"Created in response to growing concern that Dell was not paying enough attention to its customers, IdeaStorm allows Dell users to tell the company what changes they would like the PC maker to implement. The suggestions that get the most votes from other users are pushed to the top of the page.

The two most popular ideas on the site implore Dell to consider offering Linux and the OpenOffice suite as an alternative to Microsoft Windows and Office. Between them they have received almost 200,000 votes."

Dell now has to install Linux or accept the fact that they can't deliver what their customers want.Anyhow, it looks like Dell are about to deliver Linux and time will tell what this means for Microsoft who are battling with a new product that doesn't seem to offer much more than a fancy new screen and fighting the growing Apple fanbase. (It is once again cool to like Apple. Welcome back Mr Jobs.)

Of course, since this is a Security blog, I have to mention that so far it seems Vista is more secure than XP. But Microsoft's excuse for why there aren't viruses and such for Linux has always been - no-one really uses Linux as a desktop. Well.. no-one really uses Vista yet either. And having the main selling point as "Well, its more secure than any earlier version of Windows" is not saying very much. Most Operating Systems are.

Still, Microsoft are trying and good luck to them. They are about where Unix was in the 70s.

Tuesday, March 13, 2007

"γνῶθι σεαυτόν" "Know Thyself". As Neo found out when he went to visit the Oracle.

In an industry where "proactive" is the biggest buzzword it seems to me that we in the Information Security field are not doing so well.

From observations in the industry I have noticed a trend to allow Auditors to dictate what needs to be done (and in turn - point out what is not being done). In some companies what the auditors say should be done is all that gets done.

This is very different to how the Accounting profession works. The books get drawn up, approved by management and then only do the Auditors come through and approve them. Note the difference - here the Accountants decide what and how things should be done and the auditors just see if they are done. And management is involved.

It may be that management sees us as IT "guys". They may not think of us very highly and they may believe that the Auditors are great and all knowing. In my experience the auditors have come across as being very knowledgeable (even though I have had some good laughs at some audit findings). They usually arrive with ties and jackets and shiny shoes. And checklists and boring looking software. And they are backed by international auditing firms that have Ways Of Doing Things.

Us guys are lumped with IT. We are told what the auditors found wrong and told to fix it - that is how IT works. This is what needs to change.

Even many people involved in Information Security over emphasize the importance of Auditors. Here in South Africa and (it seems - abroad). I've noticed a number of American bloggers trying to push Information Security as a goal and compliance as a result. This fits into the same concept.

We need to be proactive and tell Auditors: this is what we do, this why. And slowly change perceptions and become guides to our organisations.

Monday, March 12, 2007

1. Be proactive - procrastinators don't have it easy. Its hard work doing nothing. Make sure you have a plan set up. What if someone discovers how little work you do? Make sure you have a messy desk so you look busy. Arrange false meetings, etc. Book your calendar full. Use your phone a lot. Browse website. Do a blog.

2. Begin with the end in mind - visualize how not to work, what you can be doing, how to get around obstacles like bosses and HR.

3. First things first - blah blah blah long term goals etc etc. You know the drill. Also delegate; if you have to do something make sure that its delegation.

4. Think win/win - if you don't work hard your company doesn't have to pay you much - win/win.

5. Seek First to Understand, Then to be Understood - make sure you understand your boss before you take advantage of the situation. Know his weak points, when he arrives and leaves, what time he takes lunch, etc. Those are the best times to read comics online.

6. Synergize - how to work in teams. Simple - the whole office has one big quake contest while one of you keeps a look out for the boss. Even better - use cameras. But the important thing is to work as a team!

7. Sharpen the saw - all work and no play make you dull - take some time off. Do some work even - shock everybody.

This is tongue in cheek - please do not think I do the above. 'Cept maybe Blog. Oops, theres the boss... until next time..

Thursday, March 8, 2007

In summary the article blames all the problems we have today on the way the Internet was designed.

In my first (serious) post on my blog I discuss how secure we were back in the 70s (well..not me..I was still a kid) because computers were designed to not trust their users. With the advent of DOS computers were all trusting and it has taken time to get back to how it was in the 70's. We are still on our way.

Add the two together and you get - strict, secure PCs and open networks. Sounds good to me.

Maybe one day PCs will be so tight that they can sit out on the Internet and we will not have to worry about them. Maybe we will be able to know who is connecting to our network and be happy in the knowledge that their PC can't possibly be in dire need of patches. Maybe viruses will become a thing of the past.

Social engineering will always be with us until we can build better people. Maybe our kids are already learning. We grew up in a world where you don't talk to strangers, they are growing up in one where you don't blog with them or instant message them. The wolf is still there, he is just online. And maybe this will make our kids more infosec aware.

I don't see us ever getting rid of Firewalls but it would be nice if the work of keeping PCs safe was done on the boxes and not on the network. Like it was in the 70s.

Wednesday, March 7, 2007

Before I begin let me say that this post is about Information Security in a way and, yes, I did clean up the sugar.

I was at work yesterday and I made myself my usual morning cup of tea. On the way between the very cumbersome sugar bowl and the cup I managed to spill almost the entire teaspoon of sugar on the counter. Thats a lot of sugar. And a though went through my head - picture a tiny little version of me sitting on my shoulder dressed in red looking like a devil. "Walk away. Noone will know and someone will clean it up." A little angel popped up and told me differently and I did clean up the sugar but while I was finishing the cup of tea I wondered what factors did I take into account before thinking "naaah." And because I am always thinking Information Security (except at home - I love my family) how can I use this unexpected bit of evil in me for good.

When I spilled the sugar there was noone in the kitchen with me. Noone and I am sure about that. I was not being monitored and I know that too. Had there been someone there or just the possibility of someone there I would not have hesitated to clean up the sugar.

There is always some sugar on the counter because not all of it goes into cups - the sugar bowl is too tall. It is accepted that a bit of sugar on the counter is the norm and no-one feels bad spilling a bit of sugar, its almost expected. So, how much is too much?

There are cleaners that work in the kitchen and they would have cleaned up the mess eventually - if no-one else did first. So, the mess would have been cleaned up.

And lastly, I didn't have anything to clean the mess up with. I went to get a piece of paper and scooped the sugar onto the paper with my hand. And then put it all in the bin, but there was no tool for me to use that was designed for the job.

Another thing to consider, perhaps, is that its not my sugar or my counter. Maybe if they were I'd have been more careful.

Now, InfoSec. If your users are abusing your network it may be because

You are not monitoring them correctly

You are monitoring but allowing small indiscretions through.. where do you draw the line?

It is assumed IT or someone can fix the issues arising from stuff like installing Spyware etc.

They don't have the training or the software in place to help them be secure.

they don't feel security is their job and the company's data is not their asset.

I've been working hard at work. And I've neglected this blog. It started off with a bang and now it is fizzling. So, here is a tidbit I came up with a while ago.

This may be obvious to some and hopefully it will be obvious once you have read the post but it when I came up with this idea it took a lot of thinking and a lot of convincing to all around me that this is how it works.

Please note that this does not necissarily represent the company I work for, the company I am contracted to or any other company living or dead blah blah blah. Its hopefully applicable to ALL businesses.

Lets begin.. businesses sell stuff. They either sell services or products but with nothing to sell they are not really all that useful, ask Enron.

Traditionally there have been two camps of people in businesses - users of information and the guys who make sure that the information gets to where it needs to be. You could call them "Business Decision Makers" and "IT".

Business Decision Makers could be anyone in the company from the CEO to the receptionist, etc

In terms of the CEO think "how many widgets did we sell this week?" For the receptionist it is "What is Jack from Accounts number so I can put this call through".

I call these people "Those that do not know" because they have no idea how the magic happens - they just need it to happen. And if it doesn't - there are problems. Note that IT could fall into this category as they use information but their main job is to make sure that the information gets to where it should be - and they should know how to get it where it is.

Next is IT. Their contract with Business is an SLA or a KPI. The main part the contract in both the IT department's mind and Business's mind is the "Availability" part. Downtime will be "8 seconds every 7 months" or such. Security is tucked in the contract but it is way down at the bottom and usually doesn't have an SLA. Or a realistic SLA anyhow. "IT will keep all patches up to date".

Traditionally security has been seen as an IT function. But try do something that may make the organisation more secure but at the same time will require down-time or could result in unscheduled downtime. You will be hit on the head with the contract and be shown the SLAs. I call the guys in IT from the CIO down all the way to the guy who fixes PCs "Those that do not care". Its not really that they don't care about security as such, they just have bigger fish to fry - their SLAs. Talking about the guy fixing PCs, if he has to choose between setting the CEO's password to something hard to guess or "Password1" which do you think he'll choose? He'll want to get the old man off his back and working again - Availability.

So, we have the two camps "TTDNK" and "TTDNC". Where does Information Security sit? Well, we sit in the middle. And its not a comfortable place to sit. Essentially what we sell (Confidentiality, Integrity and, the big one, Availability) is something that Business does want. They just don't know that their data may be at risk of having one of these taken away. We have to show them that. We also have to show them that by ignoring the C and I, they are at risk and they are the ones that will be left responsible. We also need to work with IT and show them that they can make the C and I work without too much extra on their plates. And with both sides we need to review SLAs that don't allow for things like patching.

Extending this to everyday activities - if a patch comes out for a piece of software. Business should be doing business stuff - not thinking about patches. They should be blissfully unaware of the risk of not patching. IT will be concerned with Availability and will want not to install the patch. Information Security has to sit in the middle and show each camp why the patch must be applied, each in their own language and get it done.

This has taken me a bit of time. I tried to put aside all of the hype and advertising running about in my head and come up with a good reason for NAC.

And without all the hype and such it wasn't easy. A short time back I asked a bunch of CISSPs "Are Firewalls Really Necessary?" and I see a similar question has popped up about anti-virus. I think its good to go back and question the holy assumptions made in the past. And those holy grails of the future. I got some interesting answers to my question and the antivirus debate is heating up nicely.

When I am in doubt I turn to my collection of wisdom, quote I have collected over the years made by guys a lot more interesting than I and a lot more wise. I hope. One of these sages is Kevin Kelly. My university lecturer was a fan of KK and we actually had to learn his rules of god for our exams. Anyhow, Kevin Kelly said "More is more than more, its different".

What does he mean by this? How does this relate to NAC?

Take a PC and put someone in charge of it. No problem. Add another PC. No problem. At some stage the guy will have too much work, so add another guy. No problem. Add a few more PCs and a few more guys. At some stage you are no longer dealing with a few guys and some PCs. You are dealing with a Corporate Network and an IT Department.

It is at this stage that the whole takes on a life of its own. Now, Kevin Kelly encourages you to embrace this sort of chaos because something amazing may come out of it. Look at the wikipedia. Noone planned something so huge and amazing would happen; likewise the Internet. Maybe I am talking about Web1.0 and Web2.0 and when Web3.0 happens it will come out of the chaos that is the Internet and totally take center stage.

If you are trying to innovate by all means embrace the chaos. But if you are in charge of a computer network the chaos could produce a new way of working that will boost your company to be a leader in its field but could more likely boost your customer list to your competitors or innovate your 5 years of financial documents into meaningless junk.

NAC is about control. Hence the name, I guess. And really, its not a product, its a mindset. If you like you can limit connections by MAC address on switches - you always have been able to. You could have a big guy that walks around unplugging PCs that have no business being on your network.

Without even going into the whole "is the antivirus up-to-date, is the box patched" functionality I think it is important for a security officer to be able to say "All users on the network are authenticated."

Then he could go on to say "All the PCs on the network are up-to-date with the controls I need them to have to make sure they behave themselves".

There will be issues in doing this and I don't see the point in having security-through-obscurity which is what DHCP NAC seems to be, there needs to be a chokepoint and it needs to be the switch which is the closest trusted piece of equipment to the user. Their PC is closer but it is not trusted.

Friday, March 2, 2007

Since I started my blog and subsequently joined the Security Bloggers Network (see the side panel), I have been following a number of stories posted by other blog members.

Ok, two debates on SSAATY - open source and NAC. I have my opinion on each and here goes:

Alan contends, and I agree with him to a point, that users shouldn't be concerned with the making of software -ie, is it open source, commercial, closed, powered by little rodents, etc. They should only make sure that the software does what they want it to. And I agree to a point.

However, we are security people and we deal in risks and mitigation. Using closed source software does present one with certain risks that open source software does not and that is: what happens if the product is discontinued.

I have seen companies spend millions on closed source software only to wind up with a solution that can not be upgraded or changed. There are some programs that only run on dos and are so closed and so important the company lives with this outdated operating system. I'm not picking on DOS, think of all the proprietary financial systems that had to be quickly fixed or rewritten for Y2K on Unix. A proprietary system that at least has published and open standards (preferably industry-wide standards) would mitigate this risk to a point.

An example that just popped into my head is Internet Explorer. I know of an IT company that has built its entire way of working around an Intranet site. Good for them but they used IE6 specific "features" in the website and it doesn't work with IE7. Had they stuck to standards they would have no problems but they didn't.

You may argue - but Open Source and Open Standards are not the same but Open Source they usually go together whereas closed standards are usually in place to protect market share and don't work very well with Open Source software (where the standards are open as soon as the code is read and analyzed).